Slashdot videos: Now with more Slashdot!

View

Discuss

Share

We've improved Slashdot's video section; now you can view our video interviews, product close-ups and site visits with all the usual Slashdot options to comment, share, etc. No more walled garden! It's a work in progress -- we hope you'll check it out (Learn more about the recent updates).

An anonymous reader writes Speaking via a Google Hangout at the Hackers on Planet Earth Conference, Edward Snowden says he plans to work on technology to preserve personal data privacy and called on programmers and the tech industry to join his efforts. "You in this room, right now have both the means and the capability to improve the future by encoding our rights into programs and protocols by which we rely every day," he said. "That is what a lot of my future work is going to be involved in."

Retroshare can give you encrypted IM, mail and forums shared only with your retroshare contacts. It's a big of a headache on dynamic IPs though - it expects all nodes to be mostly-stationary. An observer could work out who your contacts are, but that's all they are getting - metadata only, no content. Also does file transfer and share-browsing.

Thats all the need. If the contact is the press and the sender works/worked for a gov they are both targeted.
The "An observer could work out who your contacts are" gets even better if you try and meet in person. A member of the press turns their phone off and walks in a direction. Any other person in the area who turns their phone off and then on later like the member of the press is tracked.
IP, the internet, mobile phones its all great for tracking back the moment a person in gov tries reach out.
Th

Requiring the government to use fiddly correlation analysis to get a partial idea of your activities is still a lot better than the current situation, where they need issue one sternly-worded letter in order to retrieve everything including content and history.

I've tried RS, Event tried to introduce it to the company but failed for a couple of reasons:

1. The key exchange thing was a bit of a pain for others (don't see a way around that though). It wasn't seamless.2. No smart-phone support. People are not just PC bound.

They ended up using HipChat.

The thing is, RS is designed for the security conscious who are prepared to put up with a bit of stuffing around because there's nothing better out there. When people consider security 'a nice to have' with ease of use be

An app won't give you much anonymity. You need to start from the ground up with an OS that leaves no trace on the hardware and has good encryption and anonymity tools built in.Here's a good start: TAILShttps://tails.boum.org/ [boum.org]

As long as it's not the latest curve, privacy preserving crypto can be written by NSA itself, and still be secure for you. SELinux was written by NSA, and I don't have a problem using it. Your security model shouldn't rely on the party your software came from. It should rely on the software itself, idependent reviews, and, if you can't afford your own review, the many-eyes-principle (which has chilling effects).The russians could only say "this is too secure, design something that can be broken more easily".

Assumptions breed ignorance. And even you were likely surprised over the capabilities and activities revealed by the very person we're discussing here. One would have thought you would have learned when random number generators were found to be not-so-random, and encrypted microcode updates validating themselves against compromised key servers came along.

But hey, if you truly feel that it doesn't matter who makes it, then feel free to ignore those export control laws and purchase your electronics where th

You are arguing that it does matter who makes the software, yet take examples of the unchecked software to be examples of supporting your case. Even if you get down to hardware level, you are back to square 1 - unchecked code.

As for the build process, that only depends how thick is your tin-foil hat. I don't see any reason why Soviets are going to be any worse in producing your hardware then 'muricans or Chinese.

Why (and this is the point,) would you trust the NSA any more than the Russian government? Neither wants you to be able to hide what you're doing from them. If these last few years have taught us anything, it's that your government, (wherever you live,) and possibly other governments, should be regarded as the same as any other group of people who could potentially do you harm by knowing things you might want to keep to yourself, whether or not you've committed any legitimate transgression or 'crime' as t

1+ for 'So forget crypto as a privacy device, unless you're prepared to make it yourself, test in yourself, and be responsible for it yourself. The only unbreakable crypto is the (TRULY F'ING RANDOM) one-time pad, and only if it's used correctly."
Thats really the only way, one time pad used once, number stations. The key to all the free quality crypto was that all the press where been watched anyway so you get to encode all you want. The moment you send, attempt contact, its just tracked back. No need f

So, who will be auditing Snowden's code? I wouldn't even consider using anything he wrote without independent third party audits.... lots of audits of the code, design, algorithms, everything. And no binaries that he builds.

Imagine the evasive power of the dual or triple functionality achieved by some of the Obfuscated C content entries combined with the subtle designs of Russian government cryptographers. No threat there, no sir.

Can he actually write code? And I mean code at the level of sophistication required for the type of functionality he is calling for? What he is calling for is way beyond the realm of sysadmin-related programming.

I'm guessing, with the crowd he was speaking to this kind of project would be open source.

I've taken the time to watch some of the Chaos Computer Club videos on cryptography, which I think is loosely connected with this HOPE crowd. They seem like a very sharp bunch. I would certainly take my chances on anything they've hammered on.

Securing the technology is one thing - that in itself will be a huge job, because depending on how far you want to take it, you can end up needing to sandbox each application and harden each layer of the communication stack.You might need a complete new protocol ecosystem based on only systems which are open source (not just because I like open source, but so that everything can be audited and peer-reviewed at the code level), built with compilers which themselves are not only trusted but also auditable as matching their published source code, and using communication protocols which are themselves open source and audited.

Put all of that together, and you still have the biggest security/privacy threat to deal with - the ID-10-T (aka the user sitting at the computer). Until users of a computer system are educated - not necessarily to the extent that they can themselves audit source code, but at least to the point where they can recognize compromised behaviour of a computer system - then they will always be the weak link in a security/privacy model for IT systems. Getting away from the Windows/local admin culture would be a huge step, but until the most idiotic and incompetent user of a given computer system is either isolated from the ability to do anything or educated to prevent them doing dumb stuff, the computer they use must be considered compromised and all users of that computer must be considered at risk.

Small steps. Move away from the brands that helped ie the PRISM list of willing brands and tame staff building junk systems.
Understand how "open source" telco layers over tame telco software and hardware can save any data on entry.
ie once your targeted all is privacy lost no matter the fancy open source app. The security services will be in every hop of any network into and out of your computer/device until they get full plain text.
Encryption seems to be the key until your use of it shows up at an endpoint under constant surveillance. Then the individual targeting starts on the new person.
The most easy step is to make encryption more gui, web 2.0 friendly. Then a lot more people will be flooding the net with random heavy code 24/7.
Use once hardware would be interesting. It would stop any longterm profile, any unique hardware numbers been sent. If you then work on really good crypto to hide voice, pic, file sent, text you could kind of have a one session. Snowden hinted a bit about association (you to the press), mixed routing, the need for unattributable internet access in the 1h+ talk.
A lot of steps to fix an internet that is now really like Tempora https://en.wikipedia.org/wiki/... [wikipedia.org] and what that can do to your message and a person in the press been watched.
The other aspect was education. A civic duty to teach, educate the wider public and press. The classic Sysadmins of the world, unite! also mentioned.

I would say the bigger problem right now is that people don't care enough, period. Your average person is going to want to use whatever is cheaper, or whatever they have now, and isn't aware enough to demand something better and isn't going to want to pay for it. Existing products and services don't have a lot of incentive to improve because the customers don't care enough. As long as competition keeps the playing field level, as long as noone tightens up their security, nobody has to spend money on some

It doesn't have to be perfect, it just has to increase the cost of mass surveillance to a level where it is no longer feasible. Surveillance is too cheap because much of the data is just there for collection, unprotected.

For example, the UK government just pass emergency data retention laws that require all ISPs to continue logging the domain names of every web site every subscriber visits. If more people started using VPNs regularly that capability would become far less useful, and while I'm sure they could attack the VPN providers or crypto or even the individual target's computers the cost would be much higher than simply requiring the ISP to run a large database. They would be forced to stop bulk collection and only target people of genuine interest, which is the reasonable.

For a start, just convince every site to use SSL. It's possible to MITM SSL, but not on a large scale without detection. All the ISPs would be able to log is DNS lookups and IP addresses, which is still bad but not nearly as bad as being able to see individual pages accessed. Then you can start looking into possible ways to make DNS harder to monitor somehow.

Edward Snowden certainly has name recognition in the security space, which in branding terms equals big money. He's got his share of wild and crazy times overseas doing various hijinx not always on the up and up, sorta just like other security specialists [slashdot.org] of an earlier generation. Sure, in terms of branding alone Snowden could easily become the next McAfee, and he's still very young!

And isn't as if they weren't both wanted on international warrants either; and street cred. does sell sneakers.

A protocol isn't built on an implementation. Use a version of OpenSSL that doesn't have known bugs or use another SSL implementation if you want to.Claiming that HTTPS is unsafe just because one implementation has bugs is like saying that C is slow because someone wrote a bad compiler once.

Bwa ha ha ha ha ha ha ha!Yeah, the guys who are making LibreSSL probably wish you could be doing that. If they weren't compelled to make a decent SSL implementation, they could probably focus more on things like the anti-botnet research of the Hail Mary cloud. But, since OpenSSL is known to not patch bugs, they've decided that this other work is necessary.Please don't refer to an OpenSSL version that doesn't have known bugs. Just because one super-critical bug has been identified and addressed does not m

At this point I'm thinking that the NSA or GCHQ asked them not to implement HTTPS. What other reason could there be for not taking the simple, low cost, minimal action required to enable it? Soylent News, which runs on the same code base, supports it.

It's a small part, but it's a part. I think Snowden has done his fair share of trying to inform laymen and stir up giving-a-fuck. If he wants to switch to working on tech, he could accomplish nothing and still come out far ahead of the rest of us.;-)

The existence of a decent open-source router can't do much against a U.S. National Security Letter.

While we certain should care enough to force our government to stop being our adversary, there will always nevertheless be adversaries. You have to work on the

A nice step ahead would be the establishment of a new set of root certificates and an accompanying authority that signs other peoples certificates. All located in a country that doesn't play ball with NSA and other thugs.

This would do a lot to dampen the routine man-in-the-middle we see these days.

We have already have them. We need Google and mozilla to stop being little bitches and bending over for the CA's and security services and implent DANE already in their browsers. I don't buy for a fucking minute that they don't implement it because it's not common enough yet...

A nice step ahead would be the establishment of a new set of root certificates...

The lesson of CA failure is that there shouldn't be root authorities. Users (or the people who set things up for them, in the case of novices) should be deciding whom they trust and how much, and certificates should be signed by many different parties, in the hopes that some of them are trusted by the person who uses it.

If you want to catch up to ~1990 [wikipedia.org] tech, then you need to remove the "A" in "CA."

Unless you worked at Netscape in the mid-1990s, no insult was intended.

All I meant is that by the very early 1990s, we (and by "we" I mean people smarter than me; I was clueless at the time) had a pretty good idea that CAs wouldn't work well outside of real power hierarchies (e.g. corporate intranets). But then a few years later the web browser people came along and adopted X.509's crap, blowing off the more recent PKI improvements, in spite of the fact that it looked

There are already plenty of CA's in countries that are not under US jurisdiction. However, so far the CA's that issued bad certs were all outside the USA, and appear to have only done so because they got hacked and not because they were e.g. forced to by court order.

Unless you have a magical solution to hacking I don't think your new root CA would solve much.

Additionally, citation needed for "routine man in the middle". SSL MITM has been studied by academics at scale. They did not find evidence of much. Gov

Nothing I have read about Snowden indicates that he is actually some sort of uber-hacker or capable of the type of software engineering that this proposal would entail. Is his plan just to use his name to fundraise (In bit coin, I guess. I doubt many people are stupid/brave enough to attach their name to a donation towards anything to do with this guy) and attract talent, or is he honestly going to try and release code himself, which will probably be of poor-to-average quality and expect the world to adopt it?

I mean, let's be honest: Either way, whether he's going to just try and brand the stack or contribute, we have technologies that are perfectly good (that is, however, not to say perfect) already -- its just they aren't particularly widely deployed. How many organizations are running IPSec internally, other than just for site-to-site VPN tunnels? How many organizations are deploying DNSSec outside of governments and the military? How many organizations are using PGP or similar asymmetric encryption between employees? Making it easier might help, but chances are that the vast, vast majority of individuals aren't going to jump on any of these technologies in any great numbers unless they are mandated to (like at work, where they don't have a choice), but it isn't as if the government is going to make it a requirement that you try and "spy proof" your computer and communications.

Nothing I have read about Snowden indicates that he is actually some sort of uber-hacker or capable of the type of software engineering that this proposal would entail. Is his plan just to use his name to fundraise (In bit coin, I guess. I doubt many people are stupid/brave enough to attach their name to a donation towards anything to do with this guy) and attract talent, or is he honestly going to try and release code himself, which will probably be of poor-to-average quality and expect the world to adopt it?

All that counts is that Snowden has the balls and integrity that is so lacking in the "uber-hacker" department. You can't threaten Snowden, you can't bribe him. An uber-hacker, you can buy him out or scare him.

Anyways, you don't uber-hackers to develop security software. The encryption algorithms are university research level stuff and as long as you understand the basics of it, you're fine. The rest is just writing code around it that a decent programmer should be able to handle well.

All I've written are two programs illegal in the US - but that's because one infringes on a software patent, and the other is a circumvention device under the DMCA. It's also a trivial program consisting of about five lines of C, but that doesn't really matter.

So now I guess ZeroKnowledge [wikipedia.org] was 16 years too early. I remember laughing at it.

I still don't care wether NSA or other idiots read my mail for I have nothing to hide. But the prospect of ill-advised policy enforcer's ability to use otherwise benign data as scapegoating is irritating.

This is my original artwork, CC BY-NC-SA, so print a pile and spread them around if you like. I use psprint.com, and I recommend searching "vinyl bumper stickers" on DuckDuckGo, where psprint is usually running a coupon in the search results. I haven't received the color proofs for this version yet, but these are corrected from a previo

I applaud and vigorously support Mr. Snowden's suggestion that our rights MUST (my emphasis) be encoded into the programs and PROTOCOLS on which we rely every day. I seriously and sincerely doubt however that anyone, let alone the entrenched interests who construct and maintain the Internet, will in any way be moved to action.

As instance I cite the farce that is known as email. Architectural and design decision were made which did not consider the mass adoption of email by billions. Nor were the possibil

How many more wars?
As for 'if the Germans knew about it." is the classic understanding of ww2 crypto. Germany trusted the machine, upgraded it a bit and had all its spies turned.
Lets take Normandy. Army Group B has some idea, Pz Lehr Division was moved, Germany had a spy near the British ambassador to Turkey, the Royal Navy had lost aspects to its low level codes, British railroads codes had been lost by late 1943, the German airforce saw changes in US and UK practice traffic, US Transport Command lo

You seem to be comparing two searches:1) Done on ALL civilians, including people who were suspected of nothing2) Specifically targeting official transmissions with probable cause to expect genocide

I don't know about the other would-be traitors, but the problem I have isn't with intercepting any communications of any kind; it's with searching innocent people. I'm perfectly OK with the NSA hacking actual terrorists.